Researchers at FireEye have attributed a campaign to remotely steal credentials from guests using Wi-Fi networks at hotels in Europe to APT28 -- also known as Fancy Bear -- a hacking organisation which many security firms have linked to Russia's military intelligence.
"This is the first time we have seen APT28 incorporate this exploit into their intrusions, and as far as we believe, the variant used was based on the public version," Cristiana Brafman Kittner, senior analyst at FireEye, told ZDNet.
The attack process begins with a spear-phishing campaign, which targets multiple companies in the hospitality industry with hotels in at least seven European countries and one Middle Eastern country, which are sent emails designed to compromise networks.
Messages contain a malicious document "Hotel_Reservation_From.doc" containing a macro which if successfully executed, decodes and deploys GameFish -- which researchers describe as APT28's signature malware.
Once GameFish is installed on the network, it uses EternalBlue to worm its way through the network and find computers responsible for controlling both guest and internal Wi-Fi networks. Once in control of these machines, the malware deploys an open source Responder tool, allowing it to steal any credentials sent over the wireless network.
While the attack is carried out against the network as whole, FireEye suggests that "hotel guests of interest could be directly targeted as well" -- government and business personnel have previously been of interest to APT28.
Researchers note that in one incident, a victim was compromised after connecting to a hotel network, but that the attackers didn't immediately take action -- they waited 12 hours before remotely accessing the systems. However, the login originated from the same subnet indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network.
The technique also exploits single factor user authentication -- using two factor authentication makes it harder for the hackers to break into targeted accounts.
The group behind DarkHotel also compromises hotel Wi-Fi connections and combines it with spear phishing attacks to compromise specific targets.
However, FireEye says the two campaigns aren't linked and that DarkHotel -- also known as Fallout Team -- looks to be the work of a "Korean peninsula-nexus cyber espionage actor" and not APT28.
"While the previous targeting of victims through hotel public Wi-Fi by Fallout Team is similar to the latest APT28 campaign, these are two separate actors conducting operations for national security interests in support of their respective state sponsor," said Kittner.
"Further, there are technical differences between how each actor conducted their operation. Fallout Team presented fake software updates to users while APT28 is getting passwords from Wi-Fi traffic," she added.
FireEye warns that publicly accessible Wi-Fi networks present a significant threat and "should be avoided when possible".
With the public release of the EternalBlue exploit, it's unfortunately unsurprising that hacking groups are looking to harness that and other Vault7 leaks for their own gain.
While the idea of these exploits being used to supercharge cyber criminal gangs is bad, in the hands of advanced state-backed actors like APT28, malware could do even more damage.